CVE-2026-26979
Received Received - Intake
Privilege Escalation in Discourse Allows Unauthorized Topic Management

Publication date: 2026-02-26

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. Versions 2025.12.2, 2026.1.1, and 2026.2.0 patch the issue. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26979
EUVD
EUVD-2026-8879
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
discourse discourse From 2026.1.0 (inc) to 2026.1.1 (exc)
discourse discourse 2026.2.0
discourse discourse to 2025.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows privileged TL4 users to change the status of topics in private categories they should not have access to.

However, it does not impact the confidentiality, integrity, or availability of data or systems.

The severity is rated as low with a CVSS v4 base score of 0.0, indicating limited impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Discourse installation to one of the patched versions: 2025.12.2, 2026.1.1, or 2026.2.0.

There are no known workarounds available, so applying the official patches is the recommended immediate step.

Compliance Impact

This vulnerability does not lead to breaches in data confidentiality, integrity, or availability.

Therefore, it is unlikely to directly affect compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

I don't know

Executive Summary

CVE-2026-26979 is a vulnerability in the Discourse open source discussion platform that affects versions prior to 2025.12.2, 2026.1.1, and 2026.2.0.

The issue allows TL4 (Trust Level 4) users to close, archive, and pin topics in private categories to which they do not have access.

This means that users with a certain level of trust can manipulate the status of restricted topics without proper authorization.

There are no known workarounds, but patches are available in versions 2025.12.2, 2026.1.1, and 2026.2.0.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart